Reliance on Cookies without Validation and Integrity Checking in phpservermon/phpservermon

Valid

Reported on

Jun 24th 2021


✍️ Description

The program creates a cookie without setting the secure flag to true. Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.

In the example below, the code adds a cookie to the response without setting the secure flag:

setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN);

🕵️‍♂️ Proof of Concept

The process involved in setting cookie are:-

1. The server asks the browser to set a cookie.
2. It gives a name, value and other parameters.
3. Browser stores the data in disk or memory.

Now as an attacker:

1. Attacker send the user any malicious link such as http://malicious-site.domain.com/
2. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. 
3. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. 
4. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://malicious-site.domain.com:443/ to perform the same attack.

💥 Impact

Using this vulnerability, an attacker can:-

  1. redirect the user to a malicious site to steal session cookie.
  2. show user false data which will, in turn, affect the credibility of the website.

🕵️‍♂️ Patch

Set the secure flag on all new cookies in order to instruct browsers not to send these cookies in the clear. This can be accomplished by passing true as the sixth argument to setcookie().

The code below corrects the mistake in code by setting the secure flag to true.

setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN, TRUE);

Occurrences

References

We have contacted a member of the phpservermon team and are waiting to hear back a year ago
Tim Zandbergen validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Akshay Jain submitted a
a year ago
Tim Zandbergen
a year ago

Thanks Akshay, will merge and confirm asap.

Akshay Jain
a year ago

Researcher


Hi @Tim, any updates?

Tim Zandbergen confirmed that a fix has been merged on 76d0c2 a year ago
Akshay Jain has been awarded the fix bounty
to join this conversation